Announcing Windows 11 Insider Preview Build 25992 (Canary Channel)

Hello Windows Insiders,

Today we are releasing Windows 11 Insider Preview Build 25992 to the Canary Channel.

REMINDER: As builds released to the Canary Channel are “hot off the presses,” we will offer limited documentation for builds flighted to the Canary Channel including documenting only the most significant and highly impactful known issues. Please note that we will not publish a blog post for every flight – only when new features are available in a build.

What’s new in Build 25992

SMB Changes

Starting with this build (Build 25992), we are introducing the following Server Message Block (SMB) protocol changes.

SMB firewall rule changes: Creating SMB shares changes a longtime Windows Defender Firewall default behavior. Previously, creating a share automatically configured the firewall to enable the rules in the “File and Printer Sharing” group for the given firewall profiles. Now, Windows automatically configures the new “File and Printer Sharing (Restrictive)” group, which no longer contains inbound NetBIOS ports 137-139. We plan future updates for this rule to also remove inbound ICMP, LLMNR, and Spooler Service ports and restrict down to the SMB sharing-necessary ports only.

This change enforces a higher degree of default of network security as well as bringing SMB firewall rules closer to the Windows Server “File Server” role behavior. Administrators can still configure the “File and Printer Sharing” group if necessary as well as modify this new firewall group.

For more information on this change, review https://aka.ms/SMBfirewall. For more information on SMB network security, review Secure SMB Traffic in Windows Server.

SMB NTLM blocking exception list: The new SMB NTLM blocking feature first announced in Windows 11 Insider Preview Build 25951 now supports specifying exception lists for NTLM usage. This allows an administrator to configure a general block on NTLM usage while still allowing clients to use NTLM for specific servers that do not support Kerberos, either because they are not Active Directory domain joined or are a third party without Kerberos support.

For more information on this change, review https://aka.ms/SmbNtlmBlock.

SMB alternative client and server ports: The SMB client now supports connecting to an SMB server over TCP, QUIC, or RDMA using alternative network ports to the hardcoded defaults. Previously, SMB only supported TCP/445, QUIC/443, and RDMA iWARP/5445. In addition, the SMB over QUIC server in Windows Server also supports endpoints configured with different ports than 443 (this option will be part of a separate Windows Server Insider Preview release). Windows Server does not support configuring alternative SMB server TCP ports, but third parties such as Samba do.

You can specify an alternative SMB client port using the NET USE command and New-SmbMapping PowerShell cmdlet. You can also completely disable this feature with a group policy.

For more information on using this option, review https://aka.ms/SMBAlternativePorts. For more information on configuring non-standard SMB server ports in third parties, consult their product documentation.

SMB over QUIC client access control certificate changes: The SMB over QUIC client access control feature first announced in Windows 11 Insider Preview Build 25977 now supports using certificates with subject alternative names and not just a single subject. This means the client access control feature now supports using a Microsoft AD Certificate Authority and multiple endpoint names, just like the currently released version of SMB over QUIC. You can now evaluate the feature using the recommended options and not require self-signed test certificates.

For more information on this change, review https://aka.ms/SmbOverQUICCAC. For more information on SMB over QUIC, review https://aka.ms/SMBoverQUIC.

Changes and Improvements

[File Explorer]

• Did some work which should help noticeably improve the performance of opening large .zip files in File Explorer.

Snipping Tool Update

We are rolling out Snipping Tool (version 11.2310.49.0) to Windows Insiders in the Canary and Dev Channels improving HDR display support. Screenshots and screen recording on displays with HDR enabled should be able to better display colors.

FEEDBACK: Please file feedback in Feedback Hub (WIN + F) under Apps > Snipping Tool.

For developers

You can download the latest Windows Insider SDK at aka.ms/windowsinsidersdk.

SDK NuGet packages are now also flighting at NuGet Gallery | WindowsSDK which include:

• .NET TFM packages for use in .NET apps as described at ms/windowsinsidersdk
• C++ packages for Win32 headers and libs per architecture
• BuildTools package when you just need tools like MakeAppx.exe, MakePri.exe, and SignTool.exe

These NuGet packages provide more granular access to the SDK and better integration in CI/CD pipelines.

SDK flights are now published for both the Canary and Dev Channels, so be sure to choose the right version for your Insider Channel.

Remember to use adaptive code when targeting new APIs to make sure your app runs on all customer machines, particularly when building against the Dev Channel SDK. Feature detection is recommended over OS version checks, as OS version checks are unreliable and will not work as expected in all cases.

About the Canary Channel

The Canary Channel is the place to preview platform changes that require longer-lead time before getting released to customers. Some examples of this include major changes to the Windows kernel, new APIs, etc. Builds that we release to the Canary Channel should not be seen as matched to any specific release of Windows and some of the changes we try out in the Canary Channel will never ship, and others could show up in future Windows releases when they’re ready.

The builds that will be flighted to the Canary Channel are “hot off the presses,” flighting very soon after they are built, which means very little validation and documentation will be done before they are offered to Insiders. These builds could include major issues that could result in not being able to use your PC correctly or even in some rare cases require you to reinstall Windows. We will offer limited documentation for the Canary Channel, but we will not publish a blog post for every flight – only when new features are available in a build.

Our Canary Channel won’t receive daily builds; however, we may ramp up releasing builds more frequently in the future.

The desktop watermark you see at the lower right corner of your desktop is normal for these pre-release builds.

*Availability of Copilot in Windows: Copilot in Windows in preview is being rolled out gradually to Windows Insiders in select global markets. The initial markets for the Copilot in Windows preview include North America, United Kingdom and parts of Asia and South America. It is our intention to add additional markets over time.

Important Insider Links

• You can check out our Windows Insider Program documentation here.
• Check out Flight Hub for a complete look at what build is in which Insider channel.

Before you update your machine, visit the Announcing Windows 11 Insider Preview Build 25992 (Canary Channel) | Windows Insider Blog today to view full details on new features, general changes, improvements, known issues and much more!